asyncrat | 00eca3e9f1585ace0fc6923faad233b9b01b3f8da66cc59abbcc8fad4d3f35ad

General

Target

95ba552080033c4c4f8ee4ec1a216a60.vbs
Size

674KB
MD5

95ba552080033c4c4f8ee4ec1a216a60
SHA1

ae3fcbf804bdeff2d2121925468ea9c7f4e5d986
SHA256

00eca3e9f1585ace0fc6923faad233b9b01b3f8da66cc59abbcc8fad4d3f35ad
SHA512

1ff6e6a47888ab51c4903c977d4567f6f1cdf41e04f129013dda4cefca4a85e3ed949b8ac377b4e613e8afad7d2bda6558660cb2eda4854dfbbc0ee926f2ce8f
SSDEEP

384:obfnd8WP6VRB3u6RfXjM62GWT9CcjHjUJwv+6uhH/4be3EMuQVgo7ZxoP2Q9zZE/:obO

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

frankent2021.ddns.net:2455

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.vbs	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 2400	720	MSBuild.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 720	2936	WScript.exe	87
PID 2936 wrote to memory of 720	2936	WScript.exe	87
PID 2936 wrote to memory of 720	2936	WScript.exe	87
PID 720 wrote to memory of 4476	720	MSBuild.exe	89
PID 720 wrote to memory of 4476	720	MSBuild.exe	89
PID 720 wrote to memory of 4476	720	MSBuild.exe	89
PID 4476 wrote to memory of 3800	4476	csc.exe	90
PID 4476 wrote to memory of 3800	4476	csc.exe	90
PID 4476 wrote to memory of 3800	4476	csc.exe	90
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91
PID 720 wrote to memory of 2400	720	MSBuild.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ba552080033c4c4f8ee4ec1a216a60.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Public\Avast.xml
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b12tuxdw\b12tuxdw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57C5.tmp" "c:\Users\Admin\AppData\Local\Temp\b12tuxdw\CSCB234FC0B21354F5599592AD5ED25F74B.TMP"
      4⤵
      PID:3800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES57C5.tmp

Filesize
1KB

MD5
46333c16228fa059e91c7db8489ee306

SHA1
9407246af17e98118e09c67cf34eba088b4fa603

SHA256
5d9a453f792895ce9b584de12d78df4cef6ea267ba23754920b7b6186799f13f

SHA512
e0e4a5d4eb3be7cc93b4059e1c59d82b776bfa08582eaf12e1f5849549bd20ec18a3b5c35e1e855b8bd294fdb36949f3224bc86ce07a8cf6f0257b6b4714ff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\b12tuxdw\b12tuxdw.dll

Filesize
35KB

MD5
dd1df5f24ab76d6921c48eb15f702d4a

SHA1
2fe56307b1c3b8e705eff4753d44ddf947fce692

SHA256
01a3f51ac861b6c7f084277d22f2d43601eca3bfa15799b49cbb9069af573e50

SHA512
f86ab103988895964f70b99d8c88d4dfa7ef635760814faf685e4512a5170c43204348f09496c41e7e606cf650f781f0eaf743f9a52d8c1f459bc54ca691cbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b12tuxdw\b12tuxdw.pdb

Filesize
13KB

MD5
3971132e399663c79cc1b805c570ea07

SHA1
9823a3cee46f23558da7a7e60a3d8ce49679083b

SHA256
272f2c83dfd083525c4b8d60b7d614a35dab8d75351026f7916b222226d5d7c8

SHA512
95b629113631154029c84a95ab78a3fd6978710d546a71bd66ca4fb4443e75fb25ba55abe23940c737777d788d06004a08e284342053edd2f55f2e735b0f6844

Download Submit
C:\Users\Public\Avast.xml

Filesize
107KB

MD5
818e9f315cc504223d35be6beffa6924

SHA1
ef03dc9eea969aaff4414df8d1c13860f2b05167

SHA256
1a29079f87db28bbf04fde9ce88749ded368b3dbf4317d6ea11904201c44be34

SHA512
687a025c8e98ee8cb8fbfb28b4da9f0bd60597d944b3dc4d0b9c5c3204858aa9f85472c70ae743f923ea5d2d3f2786831b40f130b5279d1a971bee93869df364

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b12tuxdw\CSCB234FC0B21354F5599592AD5ED25F74B.TMP

Filesize
652B

MD5
0fd59f5244c3a33db12f877d1b1b5b66

SHA1
0ead069fbdfa716771d0c40e9c04b2cac60b4448

SHA256
cee259722da57378701adaf55c5fadf55fb655fb2cbcf0722ee5be0bd8a6b4b6

SHA512
45d8bd7d35139c08041305686d3ce8caea501c41ff70d51bf4461a156720d8445b2906b6e71a1661ef22e2d21a4a5e8b3683a5c1edb57487107ed6f77b4bfe4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b12tuxdw\b12tuxdw.0.cs

Filesize
106KB

MD5
a7c99d03e54108a5200845f6b328585f

SHA1
2fabc1d6ce1e3e161d8f7bb695848313bfb9e4df

SHA256
34ef806599ced48cf0b72c6b6b9b7db6570b51c847f76b2f4a63102e83ae8506

SHA512
135ef80f7b0979ba5b93e10acb26d01ce52bd9a7c7708306953c80309bcee921fe960d513fcc986853095fc69096947daa4a009f98a6d7f98311a4c1ea913bfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b12tuxdw\b12tuxdw.cmdline

Filesize
660B

MD5
3f1ad38d5df022abe376692dcdb7c441

SHA1
f79502eebc6de935871e616c668ecef181371f5a

SHA256
6fbbcc87b22ee66755fb76809af5f035972c97c9813f58d9b7db411bceb879a6

SHA512
939b5106095a9e45072da84c5b4bdcb7dbf0784992616cf00ba625c56783ab856a33dc1e3397abb95c051cc063d230cdbaa53d24b14178a9bcd684f8c5566d62

Download Submit
memory/720-3-0x0000000005610000-0x000000000562A000-memory.dmp

Filesize
104KB

Download
memory/720-1-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/720-10-0x00000000067A0000-0x000000000691C000-memory.dmp

Filesize
1.5MB

Download
memory/720-26-0x00000000062B0000-0x00000000062C0000-memory.dmp

Filesize
64KB

Download
memory/720-6-0x0000000005760000-0x0000000005790000-memory.dmp

Filesize
192KB

Download
memory/720-2-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/720-5-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/720-4-0x0000000005810000-0x000000000596A000-memory.dmp

Filesize
1.4MB

Download
memory/720-9-0x00000000062E0000-0x0000000006324000-memory.dmp

Filesize
272KB

Download
memory/720-8-0x00000000063C0000-0x00000000064E2000-memory.dmp

Filesize
1.1MB

Download
memory/720-11-0x0000000006990000-0x0000000006CF6000-memory.dmp

Filesize
3.4MB

Download
memory/720-29-0x00000000066C0000-0x000000000675C000-memory.dmp

Filesize
624KB

Download
memory/720-30-0x0000000006430000-0x000000000643A000-memory.dmp

Filesize
40KB

Download
memory/720-34-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-32-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2400-35-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2400-36-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2400-37-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing